With the steady rise in attack vendors and frequency of attacks, it is mandatory to keep all your enterprise endpoints up to date and round the clock patched. The best way to address this problem, is to have a systematic and automated solution that manages multiple OSs and third party application patches effectively.
The Automate Patch Deployment (APD) feature provides system administrators the ability to deploy patches missing in their network computers automatically, without any manual intervention required.
To keep up with cyber industry's security demands, APD calls for an automated scan(instead of manually scheduled scan) as soon as the server synchronizes with the Central Vulnerability Database. Then missing patches in the network endpoints are then detected and the details are posted to the server. The patches are then downloaded on to server from vendors' site, and deployed automatically as specified in the deployment window. The whole new APD process aims at eliminating the manual efforts for scheduling a scan and the later downloading of missing patches, in order to be up to date with the most recent patches.
Pre-requisite:
Configure Vulnerability Database Settings to specify the time interval for the Central server to synchronize with the Central Vulnerability Database and collect details of the latest patches available.
Note:
After synchronization with the Central Vulnerability Database, The Central Server will collect details of the latest patches released. In the next refresh policy, agents will automatically scan the computers to check if the newly available patches are missing. With Automate Patch Deployment, these patches will automatically be deployed without any delay. Automate Patch Deployment task ensures all the computers in the network are fully patched.
Follow the steps given below to create tasks for automating patch deployment for a set of computers:
If you want to deploy updates related only to Operating Systems (example Windows, Mac or Linux), then you can enable one of the given check boxes:
If you want to deploy updates only related to third party applications, then specify the severity as Critical/Important/Moderate/Low/Unrated.
Specify if you want to deploy all applications or if you would like to include/exclude a specific application.
Select this option to deploy anti-virus definition updates for the following: Mcafee Virusscan Enterprise, Microsoft Forefront Endpoint Protection 2010 Server Management, Microsoft Forefront Endpoint Protection 2010 Server Management x64, Microsoft Forefront Client Security, Microsoft Forefront Client Security x64, Microsoft Security Essentials, Microsoft Security Essentials x64
You can choose to delay the deployment of patches to ensure its stability. You can either choose to deploy the patches after a specific number of days from the date of release or approval.
For example, Assume, you specify the number of days as "5 days after release", then the patches will be deployed only after 5 days, from the day it is updated in the Central Server Database. If you choose to deploy patches "after 5 days from approval", then the patches will be deployed only after 5 days, from when the patch was marked as approved.
Configure Notification settings to receive email notifications for the following :
Click on save to successfully create a task. Now all the chosen computers will automatically be deployed with the missing patches in the deployment window specified in the selected deployment policy.
Vulnerabilities keep increasing every day, we must have up to date scanned data of which computers on our network are missing critical and important patches. So, we have automated the scan task. After the Vulnerability database sync, if new patches are released when compared to the previous sync, agents will automatically scan in the subsequent refresh cycle.
Definitely not. The scan happens right after the database is synced. Every time the scan happens, the latest missing patches are detected and downloaded on to the server. We employ this effective mechanism of posting only the diff scan data(difference in the scan data between two consecutive scans), it will not overburden the server.
Also, it will not affect the network traffic, since we don't initiate an on-demand scan from the server. It is similar to a configuration, the agents will scan only in their subsequent refresh cycle. So, the network traffic is distributed in the refresh interval and hence undisturbed.
You can use Schedule Report. Reports -> Schedule Reports. You can get it easily by scheduling the reports to be emailed 2 hours from the database sync. Also you can configure it at any frequency as you wish.
We can use the "Deployment policy" to control our date and time of deployment of the latest available patches. While the scan process is automated, you can set your own choice of deployment policies in accordance with the requirements that best suit your network environment.
You can just navigate to 'Patch View' from APD. APD --> Patch View
No problem at all, you can still use "Deploy Patches After" option under APD, using which you can:
You can also tweak the deployment policy settings for a suitable deployment window.